Compliance

Contents

Overview

Government and industry regulations require IT organizations conform to some standard practices. To become compliant with the regulations such as SOX, HIPAA, CISP, PCI, Sarbanes-Oxley and others, device configurations should conform to the standards specified. The standards could be anything - ensuring the presence or absence of certain strings, commands or values. Network Configuration Manager helps in automatically checking for compliance to the rules defined. Also, detailed reports on policy compliance and violations are generated.
 

How does compliance check work?

Users can define a set of rules specifying the mandatory requirements - what the configuration should contain and/or what it should not contain.  The rules can be grouped and defined as 'Compliance Policy'. Each device or a group of devices can be associated with the required policy or policies. Upon backing up configurations, Network Configuration Manager will automatically scan the configuration for compliance to the policy defined and report violations. Users can also run manual compliance checks at any given instance. Additionally, compliance checks can be scheduled to run on a hourly, daily weekly and monthly basis.

How does compliance check benefit me?

Compliance check enables network administrators save a lot of time by automating the standards checking process. Besides it helps in

  • automating the process of ensuring that every device configuration in the network adheres to important security policies and best practices

  • ensuring that the configuration confirms to standard practices to satisfy Government and industry regulations

  • simplifying the requirements for standards compliance audit through comprehensive and intuitive reports

 

How do I enable compliance check?

Enabling compliance check starts with compliance policy creation, which is a three-step process:

 

1. Add a Rule

Define the line or lines that are to be either compulsorily present or should not be present in the configuration file. A typical example for a rule is checking the access list configuration or checking the community string. Decide what amounts to violation - presence or absence of a particular line or a set of lines in the configuration file

To add a rule,

  1. Click on Compliance tab >> Rule >> "+" icon

  2. Enter Rule Name, Description and other details

  3. Select 'Simple Criteria' if your requirement is just to check for the presence or absence of a single line or a group of lines in the configuration file

  4. If you want to specify more complex criteria using Regular Expression, select 'Advanced Criteria' and then enter the line in the text field

  5. If you want to define the beginning and the end of the required configuration blocks for selective compliance check, select 'Advanced custom Criteria'. This is just an extension of 'Advanced Criteria'

 

How to choose the required criteria?
 

Simple Criteria

Advanced Criteria

Advanced Custom Criteria

To check for the presence or absence of a single line or a group of lines in the configuration file.

 

Example:

 

Check if the configuration contains all of the following lines:

 

snmp-server community public RO

snmp-server community private RW

 

Network Configuration Manager goes about checking the lines (specified by you) one-by-one against the configuration file.

 

 

To specify more complex criteria using Regular Expression.

 

Example:

 

Check if enable secret is configured

 

enable secret 5 $1$3Jcu$sB3  

 

In the above example, the single digit number and other characters that follow enable secret will differ in each case. So, simple criteria cannot be used here to check if enable secret has been properly configured. You need to use Advanced Criteria.

 

 

To define the beginning and the end of the required configuration blocks for selective compliance check. This is just an extension of 'Advanced Criteria'.

 

Example:

 

Check if description is written for all the interface blocks

 

interface FastEthernet0/0

 description branch office 1 connectivity

 ip address 192.168.118.32 255.255.255.0

 service-policy output Stream

!

interface FastEthernet0/1

 description branch office 2 connectivity

 ip address 192.168.118.32 255.255.255.0

 service-policy output Stream

!

 

There will be many such interface blocks in the device configuration. And, the interface name and the description will vary for each block. So, neither simple criteria nor advanced criteria could be used for creating compliance rule. You need to used 'Advanced Custom Criteria', which will help in checking each configuration block individually.

 

 

 

Simple Criteria

 

Criteria

Description

Example

Should contain all lines

The configuration to be checked for compliance should contain all the lines specified by you. Even if a single line is not found, it will be pronounced as 'violation'. Network Configuration Manager goes about checking the lines (specified by you) one-by-one against the configuration file. It is not necessary that the lines should be present exactly in the same order as specified by you. Since the check is done line-by-line, it is enough if the all the lines are present anywhere in the configuration.

Criteria: Should contain all lines

Configuration lines to check:

 

snmp-server community public RO

snmp-server community private RW

Violation:

If any or all the lines are NOT present in the configuration file (irrespective of the order of the presence of the lines)

Should not contain any line

Exactly opposite to the above. The configuration to be checked for compliance should NOT contain any of the lines specified by you. Even if a single line is found, it will be pronounced as 'violation'. Network Configuration Manager goes about checking the lines (specified by you) one-by-one against the configuration file. The order of the lines are not important.

Criteria: Should not contain any line

Configuration lines to check:

 

snmp-server community public RO

snmp-server community private RW

 

Violation:

If any or all the lines are present in the configuration file (irrespective of the order of the presence of the lines)

Should contain exact set

This is similar to 'Should contain all lines', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, Network Configuration Manager will go about checking if all the four lines are present in the same order as specified. If the lines are not present exactly as specified, it will be pronounced as rule violation.

Criteria: Should contain exact set

Configuration lines to check:

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

 

Violation:

If all the lines are NOT present in the configuration file in the same order (and same set) as specified

Should not contain exact set

Exactly opposite to the above. This is similar to 'Should not contain any line', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, Network Configuration Manager will go about checking if the configuration contains the all the four lines in the same order as specified. If the lines are present exactly as specified, it will be pronounced as rule violation.

Criteria: Should not contain exact set

Configuration lines to check:

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

 

Violation:

If all the lines are present in the configuration file in the same order (and same set) as specified

 

 

simple-criteria-v12  simple-criteria-new-rule-v12 

 

Advanced Criteria

You can make use of certain Regular Expressions in providing the criteria for checking the configuration for compliance. The following are few examples:
 

Regular Expression Patterns & Description

Matching specific characters  

 

Characters inside square brackets can be used to match any of the characters mentioned therein.

 

Example:

[abc] - This is to look for any of the characters a, b or c. The matching is case-sensitive.  

 

Matching a range of characters or numbers  

 

Character range inside square brackets can be used to match any of the characters in the range specified therein. The character range could be alphabets or numbers. The matching is case-sensitive.  

 

Examples:

[a-zA-Z] - This will match any character a through z or A through Z

[0-9] - This will match any digit from 0 to 9  

 

Other Specific Matches

.   a dot can be used to match any single character, including space.

d  to match any digit from 0 to 9

D  to match any character other than a digit (0-9)

s  to match a single space character

S  to match any character other than space

X?  question mark preceded by a character. The character (in the example here 'X') that precedes the question mark can appear at the most once or does not appear at all

X*  asterisk preceded by a character. The character (in the example here 'X') can appear any number of times or not at all

X+  plus sign preceded by a character.  The character (in the example here 'X') must appear at least once

X|Y characters separated by a pipe symbol. This is to match either first character or the next one. In the example here, this is to match either X or Y

 

For more details, refer to the "Regular Expression Tutorials" of Java Tutorials.

More Examples:
 

Description

RegEx Pattern

To check if enable secret is configured

 

enable secret d S+  - to match any line containing the text "enable secret" followed by any single digit from 0 to 9 AND any character other than space appearing at least once

To check if there is a 'public' community present in the configuration

snmp-server community public RO|RW - to match any line containing the text "snmp-server community public" followed by either "RO" or "RW"

To check if logging to a syslog server has been configured

 logging S+  - to match any line containing the text "logging" followed by an ip address

 

 

 

 

Criteria

Description

Example

Should contain

The configuration to be checked for compliance should contain the line matching the RegEx pattern specified by you.

Criteria: Should contain line(s) as per the RegEx pattern defined

Configuration lines to check:

snmp-server community public RO|RW

Violation: If the line  "snmp-server community public" followed by either "RO" or "RW" is NOT present

Should not contain

The configuration to be checked for compliance should not contain the line matching the RegEx pattern specified by you.

Criteria: Should not contain line(s) as per the RegEx pattern defined

Configuration lines to check:

snmp-server community public RO|RW

Violation: If the line  "snmp-server community public" followed by either "RO" or "RW" is present

Usage of AND/OR condition

Two or more RegEx patterns defined for 'Should Contain' or 'Should not contain' could be combined through AND/OR conditions

--

 

advanced-criteria-v12  advanced-criteria-new-rule-v12 

 

Advanced Custom Criteria

As mentioned above, 'Advanced Custom Criteria' is just an extension of 'Advanced Criteria' and it helps in defining the beginning and the end of the required configuration blocks for selective compliance check. Both 'Simple Criteria' and 'Advanced Criteria' are used to check the entire configuration of a device for compliance to a rule. There might be requirements to check specific portions of the configuration for compliance to a rule.

For example, assume that in certain Cisco Switches, the administrator wants to check if description is written for all the interface blocks. So, every single interface block has to be checked for compliance to this rule. The device configuration will have so many interface blocks with different names. Hence, you cannot define a suitable compliance rule to check all the interface blocks using the previous two criteria options - simple and advanced. They will only help in defining a constant rule to check the entire configuration once - not every single interface block.

In such cases, administrator can make use of the 'Advanced Custom Criteria' to achieve this. He can simply define the starting and ending of the interface blocks and create an advanced custom criteria. Once this is done, Network Configuration Manager will split the configuration into configuration blocks and check for compliance. The compliance result for each block will be reported individually. It will then be very simple for the administrator to find which configuration blocks do not have full-duplex connection enabled and take remediation accordingly.

Besides, you can also specify some extra conditions through the "Additional Block Criteria". This gives you the option to exclude any configuration block within the interface block specified above, for compliance check. (See the example below to get better understanding).

Defining the criteria in this case is exactly the same as 'Advanced Criteria'. Thus, the only difference between 'Advanced Criteria' and 'Advanced Custom Criteria' is that the user can define the beginning and the end of the required configuration blocks for selective compliance check.


Specifying the starting and ending of configuration

 

Consider the following configuration blocks in a Cisco Switch:

 

interface FastEthernet0/0

 description branch office 1 connectivity

 ip address 192.168.118.32 255.255.255.0

 service-policy output Stream

!

interface FastEthernet0/1

 description branch office 2 connectivity

 ip address 192.168.118.32 255.255.255.0

 service-policy output Stream

!

 

If you want to check if all the interface blocks have a description configured, you need to specify the 'Configuration Block Start' as interface in the text field. Similarly, for 'Configuration Block End', you can enter ! in the text field.

You can define the conditions for the rule as explained for 'Advanced Criteria' above. For the particular example of checking the configuration blocks for description, the rule will look like the screenshot below.

In case, you want to exclude the interfaces that were shutdown from carrying out the compliance check, you may include "Additional Block Criteria". In the drop-down against 'Advanced Block Criteria', choose the condition "Should Not Contain"  and type the word the word "shutdown" in the text field. When you do so, while checking if all the interface blocks contain description, the shutdown blocks will be left out from compliance check.

 

advanced-custom-criteria-v12  advanced-custom-criteria-new-rule-v12 

 

How Network Configuration Manager checks compliance?

When you specify as above, all the blocks in the configuration starting with the word 'interface' and ending with ! will be tested for compliance to the criteria defined. The compliance result for each such configuration block will be presented individually. Overall result will be presented based on 'AND' of all the individual results. Even if only one configuration block shows violation, the overall result will be 'violation'. You can dig the report deep, analyze the individual results and find out what is wrong with the violations.

  • Finally specify the severity for violation. And select the remediation configlet and provide the remediation description if any.

  • Click on "Save"

 

2. Group the Rules

You can create many rules to cater to specific requirements.  A 'Rule Group' refers to a collection of rules. Create a 'Rule Group' by selecting the required rules.

To create a rule group,

  1. Click on Compliance tab>> Rule Group >> "+". Enter Rule Group Name, Description and other details

  2. Select the rule/rules to be added to this group. Click "Save".

 

3. Create Policy

Once a rule group is created, you can go ahead to create the required compliance policy by selecting the required Rule Groups. Compliance check is done on all policies associated with a device.

To create a policy,

  1. Click on Compliance tab>> Policies >> "+" Enter Policy Name, Description and other details

  2. Specify the configuration file type (running/startup) against which the rules in this policy should be checked. For example, if you choose 'Running' only the current running configuration of the device will be checked for compliance with this policy

  3. Select the 'Policy Violation Criteria' - i.e specify what amounts to policy violation - your policy might contain different rules with different severities; you can specify here as violation

    • if any rule (irrespective of the severity is found violated) (OR)
    • only critical or major rules are violated
       
  4. Select the required rule groups and click 'Save'

 

4. Associate Devices with Compliance Policy

After creating a policy, you need to associate it with the required devices/device groups.

To associate a policy with a device/devices,

  1. Click on Compliance >> Policies. Click the link 'Associate devices' present against the policy

  2. Select the devices / device groups and click 'Save'

 

Running Compliance Check

After associating a policy with a device or device group, you are ready to run compliance check.

To run compliance check for a single device,

  1. Go to "Device Details" page of the specific device

  2. Click "Run Compliance Check" present under "More Actions". You can even add a schedule for compliance check to be executed at a future point of time. To schedule this, goto Settings >> NCM >> All Schedules >> "Schedule Compliance Check" and fill in the details. When you schedule compliance check, you get the option to notify policy violations to desired recipients by email 

To run compliance check for a device group,

  1. Go to "Inventory" >> "Device Group" page and click device group for which compliance check has to be run

  2. Click "Run Compliance Check" present under the box "More Actions". You can even add a schedule for compliance check to be executed at a future point of time. To schedule this, goto Settings >> NCM >> All Schedules >> "Schedule Compliance Check" and fill in the details. When you schedule compliance check, you get the option to notify policy violations to desired recipients by email

 

Running Adhoc Tests

During any stage of compliance policy creation (rule creation, rule group creation & policy creation), you can perform checks on adhoc basis to test the validity of the rule/rule group/policy added by you. The adhoc tests depict the results then and there. After adding a rule, you can perform adhoc test for a device/device group by clicking the "Adhoc Test" button present in Compliance tab >> Rule Similarly, adhoc tests can be performed for rule group from Compliance tab >> Rule Group GUI and for Policy from Compliance >> Policy GUI.

 


 

Was this article helpful?